Monthly Archives: April 2016

When OUD is used for EUS as a proxy server, it needs specific credentials to connect to the LDAP server that is actually storing the users and groups.

Those credentials are set in the configuration of the proxy-ldap-workflow-element, through the parameters remote-ldap-server-bind-dn and remote-root-dn. Usually, the credentials for the LDAP server administrator are used: cn=directory manager for ODSEE or OUD, cn=administrator,cn=users,<baseDN> for Active Directory.

Some customers do not want to use the LDAP administrator credentials. In this case, it is possible to use an alternate user identity, but this user must comply with specific requirements depending on the LDAP server flavour.

It is also possible to use 2 different users, one that will be used as remote-root-dn and another one for remote-ldap-server-bind-dn.

Reminder: the remote-ldap-server-bind-dn is the identity used to connect to the LDAP server for all the operations directly performed by the Database. The remote-root-dn is the identity used to perform internal operations triggered by the Database.

For instance, if the database connects to OUD proxy and performs a search for (uid=joe) with a control requesting the user account status, the search may have to be handled in multiple steps by OUD proxy, depending on the LDAP server flavour. A first step would be the actual search on the LDAP server, and a second step would translate the control into an internal extended operation requesting the user account status.

Follow the steps corresponding to your LDAP server.

Active Directory deployments

The remote-ldap-server-bind-dn must be able to read all the attributes on dc=example,dc=com.

The remote-root-dn must be able to read all the attributes on dc=example,dc=com.

ODSEE deployments

The remote-ldap-server-bind-dn must be able to read dc=example,dc=com. You can use the following command to define the required ACI on ODSEE (replace cn=eusproxy,dc=example,dc=com with the appropriate value):

During EUS setup, the administrator needs to provide a user DN and password to authenticate to the directory server (for instance during the dbca step, or while using eusm or Enterprise Manager).

In some companies, the database and the LDAP server are managed by different teams and the LDAP administrator credentials cannot be provided to the database administrator. In this case, it is possible to administer EUS using an alternate identity, i.e not cn=directory manager. The requirements for this alternate identity are the following:

the user must be a member of the group cn=OracleContextAdmins,cn=Groups,cn=OracleContext,<base DN>

the user must have the password-reset privilege

Here is an example of configuration steps: create a input.ldif file with the following content

Note 1: this EUS admin user can be stored in your preferred location inside the DIT, but NOT BELOW cn=oraclecontext,<base DN>. For instance, cn=eusadmin,ou=people,dc=example,dc=com is valid, but cn=eusadmin,cn=oraclecontext,dc=example,dc=com is NOT valid.

Note 2: the EUS admin user does not have to be named eususer.

Note 3: if OUD is installed as a proxy server, then the EUS admin user must be stored locally inside OUD proxy, and for instance cn=eususer,cn=oraclecontext would be a valid location.